Skip to content

operator: KBS API for LUKS key registration #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
iroykaufman wants to merge 2 commits into
base: main
Choose a base branch
from
+2,160 −668
Open

operator: KBS API for LUKS key registration #248

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d70e17b
operator: KBS API for LUKS key registration
iroykaufman May 4, 2026
eeb4005
refactor for HTTPS
iroykaufman May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2,201 changes: 1,713 additions & 488 deletions Cargo.lock
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ axum-server = { version = "0.8.0", features = ["tls-openssl"] }
chrono = "0.4.44"
clap = { version = "4.6.1", features = ["derive"] }
clevis-pin-trustee-lib = { git = "https://github.com/latchset/clevis-pin-trustee" }
compute-pcrs-lib = { git = "https://github.com/trusted-execution-clusters/compute-pcrs" }
compute-pcrs-lib = { git = "https://github.com/trusted-execution-clusters/compute-pcrs", rev = "1e7b9f74206e436d1426c335e30b2f1a6bd1681e"}
env_logger = { version = "0.11.10", default-features = false }
http = "1.4.0"
ignition-config = "0.6.1"
Expand Down
2 changes: 2 additions & 0 deletions Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ RUN sed -i 's/members = .*/members = ["lib", "operator"]/' Cargo.toml && \
# In debug builds, build dependencies to avoid full rebuild.
RUN if [ "$build_type" = debug ]; then cargo build -p operator; fi

RUN dnf install -y perl-FindBin perl-core

# Target build stage
COPY operator/src operator/src
RUN cargo build -p operator $(if [ "$build_type" = release ]; then echo --release; fi)
Expand Down
1 change: 1 addition & 0 deletions operator/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ serde_json.workspace = true
thiserror = "2.0.18"
tokio.workspace = true
toml = "1.1.2"
kbs-client = {git = "https://github.com/confidential-containers/trustee.git", rev="54d10fdb80ce249b56d5b15bd0f6e44746fd3e20"}

[dev-dependencies]
http.workspace = true
Expand Down
10 changes: 7 additions & 3 deletions operator/src/kbs-config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,12 @@
sockets = ["0.0.0.0:8080"]

[admin]
type = "DenyAll"
type = "Simple"
Copy link
Copy Markdown
Contributor

@Jakob-Naucke Jakob-Naucke May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about this one, didn't see it coming but you fixed it :)


[[admin.personas]]
id = "admin"
public_key_path = "/key/public.pub"


[attestation_token]
insecure_key = true
Expand Down Expand Up @@ -30,8 +35,7 @@ policy_engine = "opa"

[[plugins]]
name = "resource"
type = "LocalFs"
dir_path = "/opt/trustee/kbs-repository"
type = "kvstorage"

[policy_engine]
policy_path = "/opt/trustee/policy.rego"
8 changes: 8 additions & 0 deletions operator/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,12 @@ async fn install_trustee_configuration(
Err(e) => error!("Failed to create the attestation policy configmap: {e}"),
}

match trustee::generate_trustee_auth_keys_secret(client.clone(), owner_reference.clone()).await
{
Ok(_) => info!("Generate auth keys for the KBS API",),
Err(e) => error!("Failed to create the auth keys: {e}"),
}

let kbs_port = cluster.spec.trustee_kbs_port;
match trustee::generate_kbs_service(client.clone(), owner_reference.clone(), kbs_port).await {
Ok(_) => info!("Generate the KBS service"),
Expand All @@ -198,6 +204,7 @@ async fn install_trustee_configuration(
"RELATED_IMAGE_TRUSTEE",
"quay.io/trusted-execution-clusters/key-broker-service:20260106",
);

match trustee::generate_kbs_deployment(client, owner_reference, &trustee_image, trustee_secret)
.await
{
Expand Down Expand Up @@ -290,6 +297,7 @@ async fn main() -> Result<()> {
attestation_key_register::launch_ak_controller(kube_client.clone()).await;
attestation_key_register::launch_machine_ak_controller(kube_client.clone()).await;
attestation_key_register::launch_secret_ak_controller(kube_client.clone()).await;
trustee::launch_trustee_sync_controller(kube_client.clone()).await;

let ctx = Arc::new(ClusterContext {
client: kube_client,
Expand Down
12 changes: 7 additions & 5 deletions operator/src/register_server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ async fn keygen_reconcile(
async {
let owner_reference = generate_owner_reference(&Arc::unwrap_or_clone(machine))?;
trustee::generate_secret(kube_client.clone(), id, owner_reference).await?;
trustee::mount_secret(kube_client, id).await
trustee::send_secret(kube_client, id).await
}
.await
.map(|_| Action::await_change())
Expand Down Expand Up @@ -185,10 +185,12 @@ async fn keygen_reconcile(
}
}

trustee::unmount_secret(kube_client, id)
.await
.map(|_| Action::await_change())
.map_err(|e| finalizer::Error::<ControllerError>::CleanupFailed(e.into()))
trustee::delete_secret(kube_client, id).await.map_err(|e| {
finalizer::Error::<ControllerError>::CleanupFailed(
anyhow!("failed to delete secret for machine {id}: {e}").into(),
)
})?;
Ok(Action::await_change())
}
}
})
Expand Down
Loading
Loading